The ongoing globalisation of business, and ever more accessible technology, allows personal data to be transferred anywhere in the world. Data protection laws allow such transfers to be made within the European Economic Area (EEA). However, transfers to countries outside the EEA are prohibited unless sufficient safeguards are put in place to protect the rights of the individuals to whom the data relates (data subjects).

The following highlights the ways in which personal data can be transferred outside the EEA:

  1. It is transferred to a country approved by the European Commission as having an "adequate level of protection" (e.g., Australia and Canada).
  2. It is transferred to a U.S. company registered under the U.S. "safe harbor" programme. The safe harbor scheme is currently under negotiation at the EU level following the Snowden revelations about mass surveillance of EU citizens' personal data held by U.S. cloud computing providers. A decision of the European Court of Justice on the validity of the safe harbour framework is also expected soon.
  3. It is transferred pursuant to "Model Clauses" that have been approved by the European Commission. There are different types of clauses depending on whether the transfer is to a data controller or a data processor.
  4. It is transferred between group companies who have implemented "Binding Corporate Rules" that have been approved by the Information Commissioner's Office.
  5. The data subject has provided valid (freely given and informed) consent to that transfer.
  6. The transfer is necessary for the performance of a contract with the data subject, for public interest reasons or for legal proceedings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.